Set session length for Google services
This feature isn't available in the free edition of Cloud Identity.
As an administrator, you can control how long users can access Google services, such as Gmail, without having to sign in again. For example, for users that work remotely or from untrusted locations, you might want to limit the time that they can access sensitive resources by applying a shorter session length. If users want to continue accessing a resource when a session ends, they’re prompted to sign in again and start a new session.
How the settings work on mobile devices vary by device and app (see Considerations below). By default, the session length for Google services is 14 days.
When and how users sign in
- When you change the session length, users need to sign out and in again for settings to take effect.
- Users might not sign out for some time. If you want them to sign in again sooner, you can reset users’ sign-in cookies. You have to reset each user one at a time. For details, see Block access to your Google service on a lost device.
- If you set the session to never expire, users never have to sign in again.
- If you need some users to sign in more frequently than others, place them in different organizational units. Then, apply different session lengths to them. That way, certain users won’t be interrupted to sign in when it isn’t necessary.
- You can also require users to sign in with 2-Step Verification (2SV). To verify trusted devices, you could have users touch their security key. For details, see Set up 2-Step Verification.
- You can’t configure session lengths for native mobile apps, such as Gmail or Google Calendar, on Android or Apple® iOS®devices.
For Chrome Browser:
- You can only apply session-length settings to Chrome Browser on Android or iOS devices when the user is not signed in. If the user is signed in, settings won't apply. However, you can apply session-length settings as normal on other mobile browsers, such as Apple® Safari® and Mozilla® Firefox®.
Third-party identity providers
- If you’re using a third-party identity provider (IdP), such as Okta® or Ping®, and you set session lengths for your users, you need to set the IdP session length parameter to expire before the Google session expires. That way, your users will be forced to sign in again. If the third-party IdP session is still valid when the Google session expires, the Google session might be renewed automatically without the user signing in again.
- For details on how to set the session length on your specific IdP, refer to your IdP's documentation.
Set session durations
From the Admin console Home page, go to SecurityGoogle session control.
To see Security on the Home page, you might have to click More controls at the bottom.
- On the left, select the organizational unit where you want to set session length.
For all users, select the top-level organizational unit. Otherwise, select another organization to make settings for its users. Initially, an organization inherits the settings of its parent organization.
- For Session control, under Web session duration, choose the length of time after which the user has to sign in again.
- Click Override to keep the setting the same, even if the parent setting changes.
- If the organizational unit's status is already Overridden, choose an option:
- Inherit—Reverts to the same setting as its parent.
- Save—Saves your new setting (even if the parent setting changes).